matrix-registration icon indicating copy to clipboard operation
matrix-registration copied to clipboard

Published 20 hours ago verified publisher icon zeratax

synapse's password policy is ignored/circumvented

Open HarHarLinks opened this issue 3 years ago • 4 comments

Describe the bug

To Reproduce

  1. setup synapse password policy e.g. minimum length 10 letters
  2. register new user with token, using a policy violating password, e.g. 8 characters long

Expected behavior

respect pw policy

Screenshots

System:

  • OS: docker
  • python version: docker
  • matrix registration version: v0.7.2 (docker)

Additional context

not sure what good practices are in regards of informing users of the pw policy

HarHarLinks avatar Oct 23 '21 16:10 HarHarLinks

are those policies being exposed somehow? otherwise you can set this manually via https://github.com/ZerataX/matrix-registration/blob/master/config.sample.yaml#L41

zeratax avatar Oct 24 '21 21:10 zeratax

looks like they are, this is the MSC the synapse sample config file links to https://github.com/matrix-org/matrix-doc/blob/babolivier/password-policy/proposals/2000-password-policies.md

HarHarLinks avatar Oct 24 '21 21:10 HarHarLinks

Since the admin of the Synapse server also runs matrix-registration, we'd have two ways of implementing this: Requesting the server policy via synapse api + following the configuration setup in synapse - doesn't seem to have a default value (on my server it just returns empty json body - synapse 1.37.1 / edit: even matrix.org doesn't seem to implement /_matrix/client/r0/password_policy) - doesn't seem to be suggested anywhere to change theese (correct me if I missed it) - the synapse config files are quite cryptic and always scary for less experienced admins to touch

Implementing it ourselfes + centralised registration policies (e.g. usernames, passwords) + cleaner way of configuration (easier to find in my opinion) (+ prettier on our side to implement without repeating api calls)

Conclusion / Proposal The probability of one using the integrated registration feature of synapse alongside matrix-reistration is quite low. So I propose that we include theese settings into our password reqirement field somewhat like this:

# password requirements
password:
  min_length: 8
  needs_lowercase: true
  needs_upercase: false
  needs_numbers: false
  needs_symbols: false

Of cause open to suggestions (esp. regarding the default values)

xelantro avatar Oct 25 '21 00:10 xelantro

looks like this msc isn't yet merged? https://github.com/matrix-org/matrix-doc/pull/2000

it is in synapse though: https://github.com/matrix-org/synapse/pull/7118/

@xelantro looks like if you don't define a password policy it just responds with {} since as the msc describes all parameters are optional

zeratax avatar Oct 25 '21 00:10 zeratax